When started, dnsmasq reports: dnsmasq: cannot open or create lease file /var/lib/misc/dnsmasq.leases: Permission denied The selinux log shows: avc: denied { search } for comm=dnsmasq dev=sda2 name=misc pid=3809 scontext=system_u:system_r:dnsmasq_t:s0 tclass=dir tcontext=system_u:object_r:system_crond_var_lib_t:s0 I have worked around this by commenting out the recently-added line /var/lib/misc(/.*)? system_u:object_r:system_crond_var_lib_t:s0 in /etc/selinux/targeted/contexts/files/file_contexts .
dnsmasq should not be using this directory. Please create a directory for use by dnsmasq and I will set the labeling properly.
/var/lib/dnsmasq/ sound sane?
Daniel: I've made the necessary changes to dnsmasq in Rawhide; if you could work your selinux magic to make access to /var/lib/dnsmasq/ legal, I'd appreciate it. Thanks!
Hi, @Aaron: you should store local definitions to /etc/selinux/targeted/contexts/files/file_contexts.local @Jima: Aaron and your hints are working, but I see one additional issue: one has to change the default location to the mentioned one or change at least the default configuration file.
(In reply to comment #4) > @Jima: Aaron and your hints are working, but I see one additional issue: one has > to change the default location to the mentioned one or change at least the > default configuration file. Sounds like someone hasn't seen the disgusting hackery I had to put in Rawhide's dnsmasq. The %post for the Rawhide dnsmasq changes /var/lib/misc to /var/lib/dnsmasq in /etc/dnsmasq.conf. It's not great, but it should keep most people working, and make dnsmasq selinux-compliant. Daniel, what's the status of the labeling in Rawhide? Did you get it squared away?
Should be fixed in rawhide now. Fixed in selinux-policy-3.2.3-18.fc9 Fedora 8 also has it. Fixed in selinux-policy-3.0.8-82.fc8
Awesome, thanks Daniel. I'm going to close this as RAWHIDE; due to the hacky nature of the directory-change workaround, I'm rather hesitant to push it for F8/F7.
Can you point me to selinux-policy-3.0.8-82.fc8, I did not found it. BTW: I hope, write to the file is also allowed: #============= dnsmasq_t ============== allow dnsmasq_t system_crond_var_lib_t:file write;
Sorry should have said 81. 82 is not released yet. 81 should be in fedora testing. It is allowed to write to /var/lib/dnsmasq which is labeled dnsmasq_leases_t (I believe).
Hm, something wrong with fedora updates testing, is it not up-to-date? # date Sa 26. Jan 11:47:23 CET 2008 # yum list --enablerepo updates-testing selinux-policy* Loading "fastestmirror" plugin Loading "security" plugin Loading "presto" plugin Loading mirror speeds from cached hostfile * updates-testing: download.fedora.redhat.com * updates: ftp.crc.dk * adobe-linux-i386: linuxdownload.adobe.com * fedora: ftp.crc.dk Setting up and reading Presto delta metadata updates-testing 100% |=========================| 2.3 kB 00:00 No Presto metadata available for updates-testing No Presto metadata available for updates No Presto metadata available for adobe-linux-i386 No Presto metadata available for fedora Installed Packages selinux-policy.noarch 3.0.8-76.fc8 installed selinux-policy-targeted.noarch 3.0.8-76.fc8 installed Available Packages selinux-policy-devel.noarch 3.0.8-76.fc8 updates selinux-policy-mls.noarch 3.0.8-76.fc8 updates
Problem persists in F8, even though change log says otherwise... # rpm -qa selinux* selinux-policy-targeted-3.0.8-81.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-devel-3.0.8-81.fc8 avc: denied { search } for comm=dnsmasq dev=sda6 egid=0 euid=0 exe=/usr/sbin/dnsmasq exit=4 fsgid=0 fsuid=0 gid=0 items=0 name=misc pid=17794 scontext=unconfined_u:system_r:dnsmasq_t:s0 sgid=0 subj=unconfined_u:system_r:dnsmasq_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=pts1 uid=0 Different issue maybe?
Are you using /var/lib/misc or /var/lib/dnsmasq? I haven't pushed the fix to use the latter into F8, due to the hacky nature of the migration script.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases This is the default in the config file. I have never changed it.
Your best bet is probably to: # mkdir /var/lib/dnsmasq # mv /var/lib/misc/dnsmasq.leases /var/lib/dnsmasq/ # echo "dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases" >> /etc/dnsmasq.conf (since what you quoted is commented out anyway) # service dnsmasq restart After that, SELinux shouldn't complain. This will be the default behavior in F9.
You also need a restorecon -R -v /var/lib/dnsmasq/
This is a strange fix for F8 users... :( Dnsmasq just does not work after install, you have to make it manualy.
*** Bug 449032 has been marked as a duplicate of this bug. ***
*** Bug 468279 has been marked as a duplicate of this bug. ***